copilot-sdk

Enables developers to build applications using GitHub Copilot SDK for seamless integration across multiple programming languages.

Install this skill

52/100

Security score

The copilot-sdk skill was audited on May 15, 2026 and we found 20 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 305

Template literal with variable interpolation in command context

SourceSKILL.md

305	modifiedPrompt: `[User from engineering team] ${input.prompt}`,

medium line 320

Template literal with variable interpolation in command context

SourceSKILL.md

320	console.log(`Session ${invocation.sessionId} started (${input.source})`);

medium line 399

Template literal with variable interpolation in command context

SourceSKILL.md

399	```typescript

medium line 767

Template literal with variable interpolation in command context

SourceSKILL.md

767

```yaml

medium line 622

Access to hidden dotfiles in home directory

SourceSKILL.md

622	Session state is saved to `~/.copilot/session-state/{sessionId}/`:

medium line 797

Access to hidden dotfiles in home directory

SourceSKILL.md

797	- Persistent storage: mount `~/.copilot/session-state/` for containers

medium line 775

Access to root home directory

SourceSKILL.md

775	- session-data:/root/.copilot/session-state

low line 471

Access to .env file

SourceSKILL.md

471	const client = new CopilotClient({ githubToken: process.env.GITHUB_TOKEN });

low line 506

Access to .env file

SourceSKILL.md

506	provider: { type: "openai", baseUrl: "https://api.openai.com/v1", apiKey: process.env.OPENAI_API_KEY }

low line 514

Access to .env file

SourceSKILL.md

514	apiKey: process.env.FOUNDRY_API_KEY,

low line 524

Access to .env file

SourceSKILL.md

524	apiKey: process.env.AZURE_OPENAI_KEY,

low line 531

Access to .env file

SourceSKILL.md

531	provider: { type: "anthropic", baseUrl: "https://api.anthropic.com", apiKey: process.env.ANTHROPIC_API_KEY }

low line 404

External URL reference

SourceSKILL.md

404	url: "https://api.githubcopilot.com/mcp/",

low line 506

External URL reference

SourceSKILL.md

506	provider: { type: "openai", baseUrl: "https://api.openai.com/v1", apiKey: process.env.OPENAI_API_KEY }

low line 513

External URL reference

SourceSKILL.md

513	baseUrl: "https://your-resource.openai.azure.com/openai/v1/",

low line 523

External URL reference

SourceSKILL.md

523	baseUrl: "https://my-resource.openai.azure.com", // Just the host — no /openai/v1

low line 531

External URL reference

SourceSKILL.md

531	provider: { type: "anthropic", baseUrl: "https://api.anthropic.com", apiKey: process.env.ANTHROPIC_API_KEY }

low line 536

External URL reference

SourceSKILL.md

536	provider: { type: "openai", baseUrl: "http://localhost:11434/v1" }

low line 559

External URL reference

SourceSKILL.md

559	token = credential.get_token("https://cognitiveservices.azure.com/.default").token

low line 902

External URL reference

SourceSKILL.md

902	- [MCP Protocol Specification](https://modelcontextprotocol.io)

Scanned on May 15, 2026

View Security Dashboard

Installation guide →

Rate this skill

Categorydevelopment

UpdatedJune 15, 2026

openclaw api backend backend-developer fullstack-developer ml-ai-engineer product-manager technical-pm github development product

davidrrowley/CortexYouV3